The problem(s) with OpenID

On occasion, my colleagues and I are asked whether Credentica is working to ensure that our innovative technology for user-centric identity management will work with OpenID.My short answer - “No” - is sometimes followed by the question “Why not?” Let me explain.

OpenID was designed as a lightweight solution for “trivial” use cases in identity management: its primary goal is to enable Internet surfers to replace self-generated usernames and passwords by a single login credential, without needing more than their browser. Concretely, OpenID aims to enable individuals to post blog comments and log into social networking sites without having to remember multiple passwords. (Of course, local password store utilities already do that; more on this later.)

Beyond this, OpenID is pretty much useless. The reasons for this are many: OpenID is highly vulnerable to phishing and other attacks, creates insurmountable privacy problems, is not a trust system, suffers from usability problems, and makes it unappealing to become an OpenID “consumer.” Many smart people have already elaborated on these problems in various forums. In the rest of this post I will be quoting from and pointing to their critiques.

SECURITY PROBLEMS

Let’s start with the security problems of OpenID.

As Ben Laurie in a piece called “OpenId: Phishing Heaven” notes: “The OpenID people [have] defined a standard that has to be the worst I’ve ever seen from a phishing point of view. […] I just persuade you to go anywhere at all, say my lovely site of kitten photos, and get you to log in using your OpenID. Following the protocol, I find out where your provider is (i.e. the site you log in to to prove you really own that OpenID), but instead of sending you there (because, yes, OpenID works by having the site you’re logging in to send you to your provider) I send you to my fake provider, which then just proxies the real provider, stealing your login as it does. I don’t have to persuade you that I’m anything special, just someone who wants you to use OpenID, as the designers hope will become commonplace, and I don’t have to know your provider in advance. So, I can steal login credentials on a massive basis without any tailoring or pretence at all! All I need is good photos of kittens.

Kim Cameron explains the phishing attack in greater detail and notes: “The problem here is that redirection to the home site is under the control of the evil party, and the user gives that party enough information to sink her. Further, the whole process can be fully automated.” Elsewhere, Kim points outthink of what we unleash with OpenID… It’s way easier for the evil site to scoop the skin of a user’s OpenID service because - are you ready? - the user helps out by entering her honeypot’s URL! By playing back her OpenID skin the evil site can trick the user into revealing her creds. But these are magic creds, the keys to her whole kingdom!

Marco Slot in his “Beginner’s guide to OpenID phishing” demonstrates the phishing problem by providing code samples. Quoting: “There’s a new phish in town and it is big and easy to catch. A single OpenID may be used for hundres of websites. This alone makes OpenID more vulnerable as losing one password means you’ve lost them all. Moreover, each of those OpenID enabled websites is able to trick the user into giving away her password. […] Would your grandma notice http://f5888d0b1.07e1c41c97a.be/a15 is not her real openid provider?” Marc also explains why naïve attempts to solve this (such as using cookies, identifying users by their IP address, bookmark login, and displaying personal icons) do not work.

Eugene and Vladimir Tsyrklevich in a recent Black Hat presentation furthermore point out that “the phishing attack can also be carried out by the host that the site consults to retrieve the URL of the identity provider.

On a note related to phishing, Kim Cameron says: “How do I know I am looking at his web page or talking to his identity provider? By calling them up on DNS. […] OpenID is as strong, and as weak, as DNS. In other words, it is great for transactions that won’t attract criminal attack, and terrible for those that will.” Similarly, Tim Anderson remarks: “The whole OpenID structure hinges on the URL routing to the correct machine on the Internet. In other words, DNS. Now do some research on DNS poisoning. Scary.

Then there are various browser vulnerability exploits that could have devastating consequences (not just with regard to phishing) if one were to rely on OpenID for anything beyond trivial uses with no real value at stake. Quoting Petko D. Petkov: “Cross-site scripting, also known as XSS, […] works in situations in which attackers need to circumvent the browser security settings […] to get access to unauthorized data using the browser as a proxy. […] Cross-site scripting is an injection attack in which attackers supply malicious code as part of a GET or POST request. It is sent to the attacked application and is then rendered as part of the remotely delivered HTML page. This attack is perfect for stealing session identifiers or creating massive worm outbreaks […] if [users] happen to visit a malicious website that contains an exploit of cross-site scripting vulnerability found on a page from the identity provider origin that is used by the user, attackers could inject malicious code within that scope and hijack the user’s online identity.[…] there are [other] threats such as the cross-site request forgery (CSRF), which is an attack vector that also abuses the browser’s same origin policies, but without the need to inject malicious code within the attacked website context. CSRF attacks perform blind GET or POST requests to resources that are not protected by unique tokens. Since the browser is configured to supply the necessary information, such as browser cookies and other settings to every request, attackers can perform actions on behalf of the user. In this case, if the user is logged into the identity provider and visits a malicious page that executes a CSRF attack that causes a password reset, for example, attackers can hijack the user’s identity again.

On a similar note, Tom Allen Allen Tom in “What’s broken in OpenID 2.0″ says: “[A phishing site can] spoof the realm using an open redirect server or by exploiting an XSS flaw on a trusted domain means that neither the user nor the OP knows what site that the user is signing into. This leaves users vulnerable to being phished on the RP site because OPs, including AOL and MyOpenID, use the realm and return_to parameters to assert the identity of the RP to the user before redirecting the user back to the RP. For example, it’s pretty trivial for a phishing site to get the AOL or MyOpenID OPs to tell the user that they’re signing into *.aol.com, *.microsoft.com, or *.go.com by exploiting redirect servers or XSS flaws on these trusted domains. […] Redirect servers, open reverse proxies, XSS flaws, and the like are widely known and eagerly circulated within certain communities, and without a doubt these bozos would be cranking out millions of SPIMs and SPAMS every hour if OpenID were to gain any traction in the mainstream.

It does not stop here. Alex Kuza says: “[There is a] feature to set a site to be able to accept your credentials without you having to enter your OpenID password, and since your OpenID provider does not provide these details to the host, they do. Of course, you still need to be logged into your OpenID provider, but since you’re meant to be using this login for several sites, its not too much of a stretch to believe that you’re going to be logged in all the time you’re online - which is quite a large time frame. […] This means that an attacker can log you into any site you decided to trust via CSRF attacks because the site cannot tell if you’ve entered a password. Now this might not seem important, but it is very important for both large and targeted attacks because the user no longer needs to be logged into the service you want to attack, but merely logged into the central service. Even worse, this fact is completely misrepresented to users. […] Another insecure ‘feature’ is the lack of need to enter a password to register for a site. Out of […] 3 OpenID vendors, only [one] asked users for a password when registering for a site, the other two had only CSRF protections. This is admittedly not particularly serious because you still need an XSS (or similar) flaw in the OpenID provider’s site before you can take advantage of the design idea, but it is rather worrying that people designing secure systems don’t seem to want to implement defence in depth.

As an example, the Tsyrklevich brothers at the recent Black Hat conference showed how using OpenID for online banking would allow attackers to wire money to their own account using a simple cross-site request forgery attack. They also provided simple sample code for several hijacking, spoofing, and phishing attacks.In sum, OpenID adds up to little more than simple password management with extra overhead and lots of security problems. As Marc Canter stresses: “if we’re to stop phishing, and spoofing and ID theft - we need severe crypto, locked down, secure ID systems.” Ben Laurie elaborates as follows: “The OpenID fanboys want OpenID to work on any old platform using only standard software, and so therefore are doomed to live in the world of broken authentication. This is fine if what you protect with your OpenID is worthless, but it seems clear that these types of protocol are going to be used to authenticate for things of value. […] This is the root of the problem: if you want to protect anything of value, you have to do better than existing Web solutions. You need better client-side software. […] the best general way to handle this problem is through zero-knowledge proofs.” (Note: this is exactly what Credentica’s technology does.)

PRIVACY PROBLEMS

Second, OpenID suffers from fundamental privacy problems.

For starters, Tom Allen in “What’s broken in OpenID 2.0″ points out the following privacy problem: “In order to free up desirable userids, many large OPs recycle userids belonging to inactive accounts. If an OpenID is recycled, the new owner will be able to access the previous owner’s data if the RP is not aware that the OpenID has changed ownership. This is a very problematic issue for mainstream OPs. For example, if someone (unknowningly) uses a recycled OpenID to sign into Zooomr, the user may see the previous owner’s private photos.

Secondly, as Jan Miksovsky notes, OpenID’s claim on their site that “OpenID starts with the concept that anyone can identify themselves on the Internet the same way websites do—with a URI” sounds “dehumanizing and more than a little bit frightening.

These issues may not be of grave concern to many users. There is, however, a much more fundamental privacy problem with OpenID. In the words of Ralph Bendrath : “I have looked into it a bit closer now, and I just can say it sucks. […] Your identity provider is able to track all websites you log into. They even tell you it’s a feature. User profiling made easy! […] You have a unique identifier (your OpenID uri) for all relying parties, so you can’t choose between different cards or identities for different sites. Cross-sites profiling made easy! […] The latter of course can be worked around if you use many different IDs. But then you run into the usability problems that OpenID was meant to overcome in the first place - having to remember several logins, passwords and so on.

As a blog commentor puts it: “Is nobody of you guys concerned about the openid tracking capabilities? Who would wanna sign up with openid and let them know what websites you visit on a daily basis?The Tsyrklevich brothers sum it up as follows: “the IdP can spy on the user’s activity on the Internet as it is a central clearing place for all of the user’s logins.” Or, in the words of a blog poster with the pseudonym Mordaxus, OpenID is “a huge boon for anyone who wants to start tracking on the web. […] if you want to steal from people or invade their privacy, OpenID is for you.

In a piece called “Why OpenID is going to destroy the Internet”, Ilya Lichtenstein says: “I’m not the paranoid conspiracy-theorist type, but even I am terrified of what could happen if all of our actions on the Internet could be tracked to a single identity. Imagine Big Brother coming across an offensive post you made on an anti-government website, and then tracking you through every book you bought, every comment you made, every song you listened to. Don’t say that this is already possible with an IP address- it takes a court order to get a name from an IP address, but your creepy neighbor could easily stalk you from your OpenID. […] Anonymity is one of the strengths of the Internet that allows for so much free expression- without it, the Internet loses one of its key strengths. […] Imagine a key logger or trojan compromising your OpenID password because you logged in from an insecure public computer. Now, the hacker controls every element of your digital life- so much for using different passwords on different sites for security. Imagine an OpenID server being compromised- there go thousands of identities, full complete identities compromised with ease. OpenID would be a ripe target for hackers. […] And, finally imagine what OpenID promises- all of your online identities, connected and unified. Do you really want that?

Clearly, if OpenID were to be considered uses on a grander scale, the privacy implications would be enormous. As the author of a blog post titled “OpenID: A great thing… going amok?” puts it: “More than anything else, privacy and free will would be my biggest concerns. […] What I don’t like is being assigned an OpenID (or anything else for that matter). […] Personally, I was a bit peeved when Wordpress turned this blog into an OpenID without ever asking me. […] Now, let’s take that to another level: an entire nation requiring citizens to use OpenID. The thought sets butterflies on a wild ride through my belly.

So much for privacy. Credentica’s technology, in contrast, provides ultra-strong privacy guarantees that are provided by design. These features, as do our multi-party security features, require more client-side intelligence than today’s standard Web browser. Even if OpenID were to embrace such client-side intelligence, however, its simplistic URL architecture would be fundamentally incompatible with privacy features such as untraceability, unlinkability, authenticated anonymity and pseudonymity, and minimal disclosure.

TRUST PROBLEMS

Third, there is the OpenID issue of trust (or rather, the lack thereof). The old OpenID site was quite explicit in this regard: “ What about trust? This is not a trust system. Trust requires identity first.” As the author of a piece titled “The OpenID Farce” objects: “Ummm, no. Actually, Identity requires trust first. Identity without trust is meaningless. […] OpenID is Yet Another Identity Transport System… without trust. […] an identity/trust system needs to convey that “‘This is Steve’ and I’ll back that up with $XX if I’m wrong” or “‘This is Steve’ by the authority of the State of California with all of the rights and responsibilities thereof”. […] If you can’t make that promise, don’t talk to my about ID.” Or, in Jeremy Schoemaker’s words: “There’s nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider.

Even for the trivial use cases that OpenID is used for today, this poses a major problem if OpenID were to gain in popularity. By way of example, a commentor at Slashdot notes: “Once this system is widely used, and spammers begin to register OpenIDs in huge numbers, how will site owners prevent spammy registrations? […] Blindly trusting OpenIDs and allowing them into a site, or giving them posting rights would be crazy. […] If [this problem] it isn’t solved we have a one-stop-shop for spammer IDs.

USABILITY PROBLEMS

Fourth, OpenID suffers from usability problems.

Neil Cauldwell in a piece titled “OpenID is too complicated” says: “I can log-in to any OpenID friendly site just by typing in ‘NeilCauldwell.com’. But do I ever use it? […] I’m already signed-up with all the services I use on a regular basis, and have a password manager that handles the usernames. In it’s current state, OpenID isn’t going to do much for me […] Why sign-up to OpenID when your favourite sites are bookmarked by the browser, and authenticated by a password manager? […] Even if they have an OpenID, [users] still need to create and fill-out a unique profile within each service they use. This means OpenID creates a double login procedure. As we already know, once is bad enough.

Jan Miksovsky notes: “The process of selecting an OpenID provider will stump the average consumer. […] Why would a site operator let anyone leave their site to perform a task from which they will never return? […] Currently, even those sites that do implement OpenID generally treat OpenIDs as a second-class form of identification. They put their own proprietary means of signing in (generally with a user name and password) on their home page, and bury the OpenID sign in facility behind a link. […] And all this is for—what, exactly? To save me from having to pick a user name and password? [….] I can’t imagine a sane business operator forcing their precious visitors through this gauntlet of user experience issues just for the marginal benefits that accrue to a shared form of ID. […] there’s no business of any size that can afford to direct their traffic down a dead end.

ADOPTION PROBLEMS

Fifth, while lots of organizations are jumping in to become OpenID providers, there are virtually no OpenID consumers.

Dana Epp writes: “I could care LESS if Six Apart or Technorati can be an OpenID provider. I don’t particularly have a lot of care or trust in them. I want these sites to trust MY provider… which in this case is my own corporate authentication server. […] I think that is getting lost with all these players.

Nik Cubrilovic in a piece titled “OpenID: Too many providers, not enough consumers” writes: “There have been a spate of announcements recently with a number of companies both large and small announcing that their products will ’support’ OpenID. […] All these OpenID support announcements and I am not getting anywhere with my OpenID. [….] it seems that while we have plenty of companies wanting to step up us providers (easy) and have their users use their OpenID’s with other applications, we don’t have enough companies stepping up as consumers of OpenID. […] it seems that OpenID is flavor of the month and everybody is jumping on for the ride (I could post ‘Burger King Supports OpenID’ and it would make the frontpage of digg). […] It seems that most of the justification for the big companies and other apps not wanting to be providers is so that they can protect their customer base and maintain a hold.

Microsoft’s Dare Obasanjo points out that this reluctance to become an OpenID consumer may well be a fundamental problem: “When you look at the long list of Open ID providers, you may be notice that there is no similar long list of sites that accept OpenID credentials. In fact, there is no such list of sites readily available because the number of them is an embarassing fraction of the number of sites that act as Open ID providers. Why this discrepancy? If you look around, you’ll notice that the major online services […] all provide ways for third party sites to accept user credentials from their sites. This increases the value of having an account on these services [which] increases the likelihood that I’ll get an account with the service which makes it more likely that I’ll be a regular user of the service which means $$$. On the other hand, accepting OpenIDs does the exact opposite. It actually reduces the incentive to create an account on the site which reduces the likelihood I’ll be a regular user of the site and less $$$.

Last, but not least, becoming an OpenID consumer means that another site (potentially a competitor, now or in the future) learns in real time which person is visiting at what time - potentially very valuable competitive information.

AVAILABILITY PROBLEMS

Still another concern is pointed out by the author of a blog called Internet Duct Tape: “The decentralization that is openID’s strength is also it’s biggest weakness. If your openID server goes down then you’re locked out of *all* of your other web accounts that used that login. […] In order to login to a web app with openID the web app needs to be working AND my openID server needs be working. The greater number of interconnecting parts decreases my chances of getting everything to work together much more than the benefit of not having to manage multiple user accounts. […] if you use someone else’s openID server then you’re screwed.

PATENT PROBLEMS

What all of the above points at is that OpenID is lots of pain with little (if any…) gain. If that is not enough reason for concern, then perhaps the following issue is. This particular concern relates to OpenID’s claim that it is an “open, decentralized, free framework for user-centric digital identity:

The issue here is not so much the one that Neil Cauldwell points out: “If [users] sign-up to a service that only supports OpenID’s from certain servers, OpenID isn’t even open. At least with a proprietary sign-in process you be under no illusions that the username you created with service ‘x’ would work with service ‘y’. But if the big players decide to mess about with server authentification, your OpenID may or may not work at another site. This is where it becomes a complete mess.

No, the real issue is that various parties have made claims that OpenID is covered by their patents. One patent is mentioned at the Wikipedia page on OpenID, which mentions a pending USPTO patent application with PCT priority from Denmark of March 9 2001 that “covers the central aspects of OpenID.

Other patents may apply as well. Jeff Bohren says, “Dave Kearns […] talks about the patents that Sxip Identity has applied for which appear to cover OpenID. He relates that Dick Hardt assured him that Sxip Identity will be issuing non-assertion statements on OpenID soon. Of course I find it odd that a company would spend the time, effort, and money to pursue IP that they already don’t intend to enforce. […] the Sxip Patent Applications so far made public include […] these.

Chuck Mortimore, who used direct SXIP’s engineering efforts, statesI think its a gross mis-representation of the truth to say OpenId was based upon SXIP,” but that is not necessarily an indication that the SXIP patents do not cover OpenID.

Even if one were to take the position that the abovementioned patents are pre-dated by tons of prior art and/or are “obvious to those of ordinary skill in the art,” that may hardly be reassuring for sites that establish themselves as OpenID providers or consumers – they risk being presented at any time in the future with litigation threat for patent infringement. The “pledges” made by various players involved in OpenID that they will not sue for patent infringement do not prevent certain litigation scenarios from becoming a reality.

CONCLUSION

So, there you have it – why we’re not working to ensure that our technology works with OpenID: there are simply irreconcilable differences between the two. Now, mind you, it IS possible to do a drastic overhaul of OpenID so that it will be possible to provide multi-party security and privacy. Doing so would amount in essence to discarding most of the OpenID work, keeping only the notion that in some cases it might be useful for individuals to facilitate “identity provider discovery” by providing a URL. The reality is that at such a point we’re not talking about an improved OpenID system anymore, as the use of a URL for IdP discovery would pretty much all that would remain.

50 Responses to “The problem(s) with OpenID”

  1. engtech @ IDT Says:

    Damned good article, thanks for including me in it.

    One thing that has been bugging me more and more is how openID providers have been recommending that you use their login urls again and again when they say they support openID (provider). At no point do any of them mention how dangerous this is. The only sensible use of openID is with a domain name that you own so that you can delegate it where ever you want and not be locked in. But that is never mentioned anywhere. They always recommend that you use http://username.bigco.com as your url — meaning that if you lose your username@bigco account you can permanently lose access to all of your sites.

  2. Compendium of OpenID Issues « Identity Blogger Says:

    […] 23rd, 2007 · No Comments There is this great post from Stefan Brands of Credentica on his Identity Corner blog. This isperhaps the most complete compendium on OpenID problems I have seen so far. Most of these I had heard of before, but a couple surprised me. This should be required reading for anyone who is thinking about adding OpenID authentication to a site. […]

  3. Scott Kveton · David slams muckraking Says:

    […] David Recordon has a great response to Stefan Brands “Fox News”-style FUD laced post about OpenID. Nice post David. […]

  4. Labnotes » Rounded Corners - 138 Says:

    […] The case against OpenID. This is quite an extensive list of problems with OpenID. Some not that bad, and the list was compiled by a vendor, but even with a mountain of salt and turning a blind eye on some parts, I’m left with the impression that OpenID is an ideal in denial of real life lessons. (Via Engtech) […]

  5. Crosbie Fitch Says:

    I sympathise with all your points on OpenID. I don’t think OpenID is going to solve the problem it purports to (however popular it becomes).

    That said, I’m not particularly inspired by any ‘black box’ solution, nor any that artificially elevate any participant above the status of peer. I’m not suggesting that all participants must be equally reputable/trustworthy, just doubting systems that rely at the outset for particularly reputable participants to be identified for future reference by the system/participants.

    I sketched out the basis of such thinking recently here:
    http://www.digitalproductions.co.uk/index.php?id=69

  6. Stefan Says:

    Scott, given your involvement with OpenID provider JanRain and the OpenID foundation, I understand that your views on OpenID are different than mine. Regarding Dave’s response to my post, see my comments at http://daveman692.livejournal.com/310578.html?thread=902194#t902194.

    OpenID to me is Web 2.0’s equivalent of green tea. I have nothing against green tea (I drink it from time to time). Where things get dangerous is when green tea is seen as (let alone hyped as) the cure for all kinds of serious health conditions where people _really_ should visit a doctor. OpenID is currently being seen by various parties as a healthy foundation for much more serious identity and access management applications where a lot more is at stake than someone impersonating or tracking your blog comments. The recent announcement by Estonia IT folks that they are experimenting with tying OpenID into a national ID card scheme for Estonia is an example of this. Personally I find that a very worrisome trend. My colleagues and I have looked into OpenID, to see if we can combine our “medical equipment” with your “green tea,” but the two simply don’t mix.

    - Stefan

  7. Anonymous Says:

    The vast majority of these problems are found in the standard username/password style logins, and many can be alleviated by choosing a secure provider. Don’t just grab the fist OpenID provider you see. Some are better than others.

    Verisign is experimenting with being an OpenID provider:

    -They provide a Firefox plugin that detects phishing attempts.
    -They provide a hardware security device with a number that can only be used once and expires quickly.

    They essentially solved the phishing problem: They provide means of detecting phishing, and even if phishing is successful, the number used to authenticate expires quickly and can’t be reused. Unfortunately, this assumes you use them as a provider - other providers may not provide such services.

    Cross-site scripting can be alleviated somewhat with Firefox’s NoScript plugin - although it must be noted that this vulnerability is likely to exist in ANY security solution where the Internet is involved.

    Privacy is definitely a valid issue - again, this will depend on the OpenID provider. Choose somebody you trust. Or just become your own OpenID provider.

    Usability:
    Let’s see - one username, one password, one URL.

    Compared to having a billion usernames and passwords?

    Okay, smart people will have a password manager - but it’s not like there aren’t issues with those (quick: how many of them don’t encrypt the passwords? Too many.). And hey, I can store my OpenID in a password manager :). I’m not sure how it’s any less usable than having a gazillion names and passwords.

    And no, if implemented properly, it shouldn’t create a “double login.” Once you login with your OpenID, that should be it, you shouldn’t have to login a second time. Your OpenID is your identity - your profile should be connected to your OpenID.

    “If you look around, you’ll notice that the major online services […] all provide ways for third party sites to accept user credentials from their sites. This increases the value of having an account on these services [which] increases the likelihood that I’ll get an account with the service which makes it more likely that I’ll be a regular user of the service which means $$$. ”

    Vehemently disagree. I can’t count the number of times I’ve created a throwaway profile when I only needed to use a service once. Creating a profile makes me no more likely to reuse a service. And just because they ALLOW a third party site to use their profiles doesn’t mean that the third party sites are actually doing so. I have YET to see one site use another site’s verification system, other than the recently merged PayPal and eBay.

    Wait - I know - some people are using Verisign as an identity provider. But Verisign looks like it’s going to be jumping on the OpenID bandwagon.

    Yes, adoption can be an issue - but this is an issue with ALL identity services I’ve seen.

    Problem is, who is offering a better solution? Nobody.

    Pretty much every other identity solution I see is some vertical market thing that the average joe cannot afford.

    Every identity solution I know of is targeting big businesses - nobody is targeting the average joe surfing the internet.

    Do you have a better idea?

  8. OpenID Kerfuffle « Identity Blogger Says:

    […] 26th, 2007 · No Comments As I mentioned here, Stefan Brands wrote a very extensive post discussing the issues surroundingOpenID. Dave Recordon’s passionate reply can be found here. Dave Kearns comments are here. […]

  9. Don Park Says:

    This post has one valid point - phishing is a problem. This is also nothing new. The solution is looking at the URL bar when logging in to the IP and using client-side certificates. Unfortunately, certificates never caught on and SSL is used only to prevent sniffing. Verisign’s Seatbelt plugin for firefox is one solution. Its audience is limited - those with firefox and a certain understanding about single signon. So over all, a good point.

    The misinformed quotes and other points are many. Here are two:
    “OpenID aims to enable individuals to post blog comments” - openid is so obviously general-purpose that this looks like FUD.

    “local password store utilities already do that” - to equate a distributed single singon system with a password manager looks like either the author doesnt understand single signon or its more FUD.

    “The old OpenID site was quite explicit in this regard: “ What about trust? This is not a trust system. Trust requires identity first.�? As the author of a piece titled “The OpenID Farce�? objects: “Ummm, no. Actually, Identity requires trust first. Identity without trust is meaningless. ” - This is largely semantic. The identity is the ‘thing’ you are trusting to be true. So its impossible to trust something unless the something exists! But the author of the quote means something else - His ‘trust’ is between you and the giver of the identity. This is more like saying the ID is useless unless the provider of the ID is trustworthy. OpenID works differently - the ID is given and is in a untrusted state until he IdentityProvider verifies it.

  10. Marco Slot Says:

    This pretty much covers all of it. Thank you for writing this article.

    It’s funny that OpenID, supposedly an authentication system, is actually just DNS in an elaborate disguise and DNS really does not provide authentication.

    Anonymous OpenID providers put OpenID in the right perspective: http://www.jkg.in/openid/ . You’re not authenticating to the consumer. You’re not authenticating to the provider. It’s the provider that is authenticating to the consumer using the URL as a credential, or more specifically the domain. One could argue that the domain is linked to a real-world identity (address), but what are you going to do when the ownership changes, potentially to someone with evil intentions? Well, nothing. First you wouldn’t even check it. Second it could be a simple administrative change. For this reason we can not truly identify someone unless we have a revocation mechanism like X.509 does. Conclusion: Like DNS OpenID does not guarantee the identity and therefore it does not provide authentication.

    The technical flaws of DNS also appear. As Kim Cameron and Tim Anderson mentioned: DNS is not secure. In fact, DNS spoofing is like the Hello World of network hacking. For a quick introduction read:
    http://www.securesphere.net/download/papers/dnsspoof.htm . All you need to do is reply before the DNS server does, which is not particularly hard with OpenID because you control when the server is going to do a DNS lookup and what DNS lookup it is going to perform. You can simply start pushing out messages at the moment you try to ‘authenticate’.

    Even if we take the standard false assumption of web security that there are no man-in-the-middle attacks possible then OpenID still requires consumers and providers to talk through SSL with strict verification of certificates. Without the assumption OpenID simply breaks down just like DNS does.

    I couldn’t think of any good reason to become an OpenID consumer except for trying to steal a few passwords. If we’re talking serious security (banking) we need the guarantee of no man-in-the-middle attacks thus OpenID is not an option. If we’re talking non-serious security (blogs/forums) we suddenly need to install a heavy weight SSL based system just to get the basics right.

    I wonder, what was it that OpenID was supposed to provide us with?

  11. Marco Slot Says:

    “Even if we take the standard false assumption of web security that there are no man-in-the-middle attacks possible then OpenID still requires consumers and providers to talk through SSL with strict verification of certificates. ”
    By the way, the original problem of the bankrupt provider is not affected by this.

  12. The problem with OpenID...finding timely, relevant examples to shill with? | Michael Gracie Says:

    […] Stefan Brands of Credentica took some time last week to attack some of the weaknesses in OpenID security. David Recordon of Verisign Six Apart responded in kind. Media critique/political statement notwithstanding, Recordon pointed out that the majority of Stefan’s references were actually working with OpenID, the goal being interoperability and/or supplemental security. David questions why Brands/Credentica are not joining the party. […]

  13. Stefan Brands Says:

    Over at Dave Recordon’s blog, various other comments to my original post and Dave’s response have been posted. To those who believe the security problems of OpenID can easily be fixed, I strongly recommend that you read the following comments:

    - http://daveman692.livejournal.com/310578.html?thread=903730#t903730

    - http://daveman692.livejournal.com/310578.html?thread=906034#t906034

    In relation to that, please note that once we start fixing some of the security problems of OpenID via special client software, such as browser plugins, there is no legitimate reason at all anymore to stick with the simplistic OpenID URL approach; one might as well leverage that same client-side intelligence to switch to a much more secure architecture. (CardSpace is an excellent example of such an architecture.) Let’s not forget that OpenID’s home-grown design was shaped by the requirement that it had to work with a plain-vanilla brower. Once we let that requirement go, there really is no excuse anymore to take a “look ma, no crypto!” approach.

    - Stefan

  14. Trufina, Inc. - Personal Identification Management Says:

    […] 2007 outlining a bunch of weaknesses in OpenID.  Then Stefan Brands amplified the critique in a long blog post.  David Recordon fired back in a post of his own, in which he expresses confidence that OpenID […]

  15. Julian Bond Says:

    But, But, we still need a single signon system that is as easy to implement as OpenID. So if OpenId is so flawed, where is the alternative?

    And BTW, OpenID consumers are becoming more and more common now the libraries are available and people get comfortable with them.

  16. netzpolitik.org: » Kritik an digitalem Identitätsmanagement » Aktuelle Berichterstattung rund um die politischen Themen der Informationsgesellschaft. Says:

    […] Credentica, der seit Jahren in der IdM-Forschung eine Autorität ist, gerade eine umfassende Zusammenstellung der Kritik an OpenID in sein Blog gestellt. Sehr lesenswert - selbst mir war die Problematik so geballt noch nicht klar. […]

  17. alex Says:

    Hm, if you host openid on your own host, the most of the problems will vanish …

  18. Callum Says:

    For the record, I think this article is (understandably) biased. I think openID has issues, as do any single sign on services. I still *much* prefer openID to *any* proprietary system, primarily because it’s an open standard. Given the number of major names getting behind it, I think all of the issues will be resolved in time.

    Any talk of “an armageddon of spam” is, in my view, ridiculous. Consumers vote with their feet. If openID leads to spam, the problem will be solved or openID will go away (unlikely).

  19. IdentityBlog - Digital Identity, Privacy, and the Internet's Missing Identity Layer Says:

    […] Brands runs off in the wrong direction in his recent treatise on OpenID.  Who really needs a “shock and awe�? attempt to bonk the new OpenID “cryptographic […]

  20. Maciej Piechotka Says:

    With many points stated I agree or partially agree. But the messing around protocol affected many protocols, better or worst designed, such as smb, soap, html (I know it’s not protocol). I don’t know anything that could stop it in design of protocol.

  21. viralmythen Says:

    Die Probleme von OpenID…

    Die Idee hinter OpenID ist bestechend: eine offene, dezentrale Plattform für das Identitätsmanagement. Das Ziel: »the elimination of multiple user names and passwords and a smoother, more secure, online experience.« Dass damit abe…

  22. Anonymous Says:

    “OpenID: King Of Fools” — another post in the ongoing OpenID thread: http://storm.alert.sk/blog/identity/king-of-fools.html

  23. OpenID: Blessing or curse? « Stefon’s Blog Says:

    […] are a lot of criticism against openID. I found this article on The identity corner quite comprehensive. It summarizes the flaws which are in the openID system.. Or better said: The […]

  24. Yahoo Mash: Steps toward consolidating Yahoo web Properties? at Uno de Waal Says:

    […] talking about Identity for a while here, some people say OpenID is the way to go, others are a bit skeptical about it. But if Yahoo adopts some sort of identity server there is quite a large possibility that […]

  25. Stefan Brands Says:

    Additional relevant links on the topic:

    Mike Neuenschwander:
    + “Freakonomics of OpenID
    + “Braying About Sun’s OpenID Support
    + “Identity’s Inconvenient Truth

    Bob Blakley: “What is OpenID for?

    Marc Dixon: “OpenID Credibility: Harry and Bess Truman

  26. Pushing String » Sun OpenID IdP: protocol and implementation review Says:

    […] is cross-site request forgery (CSRF/XSRF, already highlighted in Stefan Brands’ now-famous catalog of OpenID issues), which many providers seem susceptible to. Another issue we noticed during […]

  27. Radovan Semancik Says:

    I can generally agree, but there are usually two sides to the coin. It this case there seems to be three sides. Details in my blog:
    http://storm.alert.sk/blog/identity/openid-dogfight.html

  28. Technophilia: One OpenID to Rule Them All…or Not? · TechBlogger Says:

    […] Anonymity concerns: Some of us actually enjoy multiple personalities—not to mention anonymity—on the web, instead of just one identity provided by OpenID. Though you can build more than one OpenID URL to take care of this, many of us already have password management systems, so OpenID might seem a little redundant. However, OpenID is an excellent solution for managing usernames and passwords to sites and networks you don’t mind losing if compromised (this is both a pro and a con). For more sensitive information, such as financial or email, I wouldn’t suggest that you use OpenID to manage your information. At least, not yet. There are security issues that need to be addressed, namely, the fact that amateur hackers need only one username and password to get all your information—plus the smart hacker can potentially hitch that cracked username to an email and go really nuts. For an excellent discussion of OpenID security concerns, I suggest you read The problem(s) with OpenID. […]

  29. iGadget Says:

    This sounds like the german home secretary iniated this idea of OpenID, so that he can track all citizens on any network collaborating with OID…

    This more big brother stuff than anyone would need. The idea behind it is pretty cool, but centralizing never gave the creators opportunities.

    If I would need a better way to be tracked and chased, I would use it directly ;)

  30. Technophilia: One OpenID to Rule Them All…or Not? | Tolagomi News Says:

    […] Security concerns: OpenID logins work by redirecting you to the OpenID hosting provider and having you enter your single username and password there. This means that potentially, an evil operator could set up a phishing site in that redirect which collects your login information. If they do, due to the nature of OpenID, they’ve got the keys to all the sites you OpenID into. For an excellent discussion of OpenID security concerns like this one, check out The Identity Corner’s article on The problem(s) with OpenID. […]

  31. WritingMonkeys Development Diary » Blog Archive » OpenID or not OpenID Says:

    […] place just to try out all these fun sites (like writingmonkeys.com). However, there are way more fundamental flaws that I thought of before; in fact, those flaws make me think if I should use OpenID at all. Not […]

  32. meneame.net Says:

    Los problemas de OpenID…

    En este artículo, Stefan Brands de Credentica enumera los problemas que encuentra al sistema de identificación on-line OpenID: problemas de seguridad, de privacidad, de veracidad, de usabilidad, problemas a la hora de adoptar el sistema, problemas de…

  33. i like ellipses… » Government surveillance and s Says:

    […] hat hacker’s dream come true. This is, of course, why OpenID is such a great idea. Sure it has its problems, but using OpenID means that login data doesn’t need to be distributed across the Internet at […]

  34. i like ellipses… » Death and destruction from OpenID Says:

    […] has been a blog post floating around recently which discusses the many pitfalls of OpenID. The article breaks the […]

  35. OpenID sucks. « Outside the Bubble… Says:

    […] ID Corner: Problem(s) with OpenID […]

  36. Search Standards and OpenID; not only for single sign-on, will search standards emerge? « Vannevar Vision Says:

    […] Stefan Brands’s in-depth analysis of the problems that may arise with OpenID, OpenID is a good solution. Not only because of the ease […]

  37. SuperBoB » Blog Archive » OpenID and online reputation Says:

    […] course, OpenID has its detractors, but a many of these objections have been addressed in a recent Security Now podcast […]

  38. OpenID and the Social Graph « Meaningful Data Says:

    […] The problem(s) with OpenID (from a blog called The Identity Corner) […]

  39. OpenID 2.0 « TIDDER Says:

    […] igual que ocurrió con la versión actual, se apuntan algunos problemas con esta nueva versión, que intentarán pulir y fijar esta semana en […]

  40. Blogreader Says:

    The Troubles with OpenID 2.0

    Marshall Kirkpatrick just published “The Troubles with OpenID 2.0“. He mentions that there is virtually no support for inbound OpenID among big players, and “growth in general seems down, in fact.” He also describes usability problems. Regarding the privacy problems with OpenID, a commenting reader says: “what about the back door? can someone, say our favorite government, find out everything i have said or done on the web byt just making friends with an open id vendor? seems a total scam to me, part of the collecting data for more targeted ads, at best, and total loss of privacy at worst… what am i missing?”

  41. What is an OpenID | Blogging Sueblimely Says:

    […] this -  The problem(s) with OpenID has me concerned about its security […]

  42. sharpo Says:

    There are a lot of good points in this article. Although I can’t agree with all of them:

    - DNS is not an OpenID problem. You would have to stop using ssl-secured services if your concern is DNS. Your browser compares the hostname in the ssl-certificate to the hostname in your addressbar. It cannot know if the IP to which this host resolves is not beeing spoofed. The insecurities of DNS are known for years and are beeing worked on.
    - Concerning Phising: “To educate people to act responsible is too hard, so let’s give up.” is not an valid argument in my eyes.
    - Concerning openid tracking I think this is really a plus. Don’t forget that you could always set up your own openid server. OpenID is decentralized. There is not ONE big Authentication provider which sees ALL users. As a user you are free to choose whom you trust. You could also use different OpenID providers for your different identities.

    The real problem I see is the trust problem. I disabled anonymous comments on all my sites - why would I enable OpenID comments, if every spambot can provide its own OpenID identity?

  43. Why Hasn’t OpenID Caught On? | Mark Evans Says:

    […] the sites he can use OpenID on and those that he’d like to use it on but can’t yet. The Identity Corner said OpenID’s problems were seven-fold: trust, security, privacy, usability, adoption, […]

  44. The Implications of “Data Portability” Under Repressive Regimes : Committee to Protect Bloggers Says:

    […] arrived with a relative paucity of skepticism regarding the inherent risks. There has been some criticism, but not as much as I think it warrants and certainly not in more high profile publications. Now, […]

  45. OpenID links (for Geeks) at DO Says:

    […] The problem(s) with OpenID A great article to start with. […]

  46. Web Worker Daily » Archive OpenID: Is it Time to Care Yet? « Says:

    […] version of the spec, but certainly they have been debated; Stefan Brands rounded up a long list of problems with OpenID, and David Recordon responded at length (the comments to both posts are worth reading as well). It […]

  47. blogx » Blog Archive » IdP Phish Says:

    […] about what the DataPortability.org thing is all about and also came across many essays that are not so enthralled with the idea, along with some nifty examples from Marcos how to land this big phish. Single sign […]

  48. » Google Pumps OpenID Too Says:

    […] work out their implementations, others are raising the temperature of the debate on IDM solutions. Stefan Brands is among the OpenID naysayers (David Recordon’s response), while Scott Gillbertson sees a bright future. Let’s watch […]

  49. Josh Says:

    Thanks for putting this info together in one place. Every few months I get the idea that maybe OpenId isn’t so bad and maybe I should add support for it to my site (since all the big guys seem to trumpet it)… so I start looking at it again and ever time I do I keep wondering what I’m missing, because as far as I can tell from my judgement, OpenId is terrible for both the end-users and the sites that implement ‘consumer-side’ support for it.

    And while you make some very good/interesting points about the security of such a system, I don’t think you even have to go that deep to realize this is bad news. In fact, a recent video interview with Allen Tom of Yahoo… really highlights to me why this is a steaming pile. Check out the video for yourself: http://developer.yahoo.net/blogs/theater/archives/2008/01/experts_work_allen_tom_technical_yahoo.html

    NOTE: If you want to save yourself the OpenID evangelism, just jump to time 9:20 and watch the demo of what the *improved* OpenID 2.0 user-experience is like… utterly terrible.

  50. Good Design always wins » Blog Archive » Passwords, logins and OpenId Says:

    […] many people have pointed out, OpenId is a big fat invitation to phishers. (There’s one way around it, more […]

Leave a Reply